Short hash-based signatures for wireless sensor networks

Short hash-based signatures for wireless sensor networks Erik Dahmen 1 and Christoph Krauß 2 1 Technische Universität Darmstadt Department of Computer Science Hochschulstraße 10, 64289 Darmstadt, Germany dahmen@cdc.informatik.tu-darmstadt.de 2 Fraunhofer Institute for Secure Information Technology SIT Department Network Security and Early Warning Systems Parkring 4, 85748 Garching, Germany christoph.krauss@sit.fraunhofer.de Abstract. We present a hash-based signature scheme customized for wireless sensor networks. For message lengths required by instructions or queries from the base station or single measurements like the temperature, signature generation is 7 times faster and verification is 158 times faster than state-of-the-art implementations of ECDSA at the same security level. For message lengths sufficient for most sensor network applications, the signature generation time is comparable to ECDSA, while signature verification remains 20 times faster. Our scheme can be used to authenticate messages exchanged between sensor nodes, as well as for securing broadcast authentication. Our scheme minimizes the overhead introduced in the network by the signature verification done by each sensor before relaying the message. Keywords: hash-based signature scheme, hash chain, wireless sensor network, Winternitz one-time signature scheme 1 Introduction Wireless sensor networks (WSNs) [1] can be deployed in many security- and safety-critical applications such as military surveillance, or medical applications such as patient health monitoring. Thus, securing WSNs is of paramount importance. A WSN can be viewed as a closed user group and therefore the application of symmetric cryptography seems sufficient. However, since sensor nodes are often deployed in an unattended or even hostile environment, an adversary may compromise a sensor node to access stored keys and compromise the security of the communication in the whole group [19]. This problem can be solved by using public key cryptography. For example, one can use the elliptic curve digital signature algorithm (ECDSA) to ensure the authenticity and integrity of the communication in a WSN. ECDSA is especially suited for WSNs because of its small signatures: 320 bit for a sufficiently high security level of 80 bits. There exist several implementations of ECDSA on WSNs [16,27,30] providing this security level. Signature generation takes between 0.81

and 2.16 seconds and signature verification takes between 1.62 and 4.32 seconds on typical sensor hardware. This shows that especially the ECDSA signature verification introduces a significant overhead in terms of time and energy required to verify a signature. This paper presents a hash-based digital signature scheme customized for WSNs that addresses this issue. For the same security level, our scheme provides nearly the same signature sizes as ECDSA. To achieve this, we exploit the property that messages to be signed mainly consist of only a few bits. Our scheme provides a trade-off between the signature generation / verification time and the maximum length of the message to be signed. If only 8-bit messages must be signed, signature generation is 7 times faster and signature verification is 158 times faster than ECDSA. In case of 14-bit messages, the signing time is comparable to ECDSA while signature verification remains 20 times faster. The signature size is 330 bit in both cases. These timings assume that our scheme is implemented on an Atmel ATMega128 [7] microcontroller and that the sensor node generates at most 2 10 signatures with one key pair. Being able to efficiently verify signatures is crucial for WSNs, because each node that relays a message should check its authenticity and integrity before doing so. The signature verification time is of main interest especially in broadcast authentication, where the signatures are generated by a powerful base station but signature verification is performed by resource constrained sensor nodes. While 8-bit messages can be used to transmit basic commands and single measurements like the temperature, 14-bit messages are sufficient for most other WSN applications. Our scheme makes use of a variant of the Winternitz one-time signature scheme [11] and a hash chain for the authentication of the one-time verification keys. Compared to the usual approach of using a Merkle tree [25] for authenticating verification keys, applying a hash chain significantly reduces the signature size because no authentication path must be transmitted. For example, at security level 80, this saves 800 bits if at most 2 10 signatures are generated. Similar to the Merkle construction, our scheme requires predetermining the number of signatures that can be generated with one key pair. Using a hash chain requires a verifier to receive all signatures generated by the signer, because the current signature is used to compute the authentication data for the next verification key. In our opinion, this is a reasonable assumption for most WSNs. Nevertheless, we discuss measures that can be taken in case a sensor node misses some signatures. Our scheme is similar to the construction proposed in [22]. The difference is that our construction explicitly makes use of a hash chain traversal algorithm. The benefit is, that the signer is no longer required to store all potentially used one-time key pairs to generate the hash chain. This reduces the memory requirements from linear in the maximum number of signatures to logarithmic in the maximum number of signatures. This is one of the reasons why our scheme is also applicable on sensor nodes and not only for broadcast authentication of base station messages. The second novelty is the modified Win-

ternitz construction that provides signature sizes currently only achievable by ECDSA. The remainder of this paper is organized as follows: Section 2 summarizes related work. In Section 3, the new hash-based signature scheme is introduced. Section 4 analyses the security and Section 5 provides a performance evaluation of the signature scheme. Finally, Section 6 states the authors conclusion. 2 Related work Research in the early stages of securing WSNs was predominantly focused on symmetric encryption schemes. For example, the work presented in [26,17,35] uses a Message Authentication Code (MAC) for two party authentication. To establish the required symmetric keys, a variety of key establishment schemes have been proposed [13,6]. However, for the reasons mentioned above, symmetric cryptography is not applicable if the sensors are deployed in a hostile environment. For this reason, research effort has been shifted on investigating the use of public key cryptography in resource constrained systems and WSNs. The goal is to overcome the key management issues of symmetric schemes and to provide a higher resilience against node compromise [33,15,16,23,32,12,3,4,27,31,2,30]. Public key cryptography is especially useful to authenticate broadcast messages from the base station since all verifying sensor nodes require only the public key of the base station. Gura et al. [16] presented a software implementation of the elliptic curve secp160r1 on an Atmel ATmega128 which is a commonly used CPU on sensor nodes such as the MICA2 [9]. An ECDSA sign operation takes 0.81 seconds and an ECDSA verify operation about 1.62 seconds. Similar values (0.89/1.77 seconds) for the MICA2 nodes are stated by Piotrowski et al. [27]. In [30], an ECC point multiplication using NIST k163 Koblitz curve over GF(2 163 ) is stated with 2.16 seconds (using binary field GF(2 m )) and 1.27 (using prime field GF(p)) on a MICA2 node. This implies that an ECDSA verify operation would take 4.32 (2.54) seconds. In [4], an implementation for GF(2 113 ) is presented which takes 6.74 seconds for one fixed point multiplication on a MICA2 node. However, the large execution times and energy requirements raise the question if public key cryptography is really applicable on sensor nodes. Especially the slow ECDSA signature verification poses a problem. As alternative to public key cryptography, approaches based on symmetric primitives have been proposed. The seminal µtesla protocol [26] provides an asymmetric mechanism by employing a delayed disclosure of symmetric keys. The drawback of this approach is the introduction of an authentication delay and the requirement for loose time synchronization. Hash-based one-time signature schemes have the advantage that signature generation and verification are very efficient. At first glance, this makes them very interesting for WSNs. However, they suffer two drawbacks. First, each key pair can be used to sign at most one message. Thus, for each message, a new authentic verification key is required at the receivers side. This problem can

be solved using Merkle s tree authentication scheme [25]. This approach uses a binary hash tree, also called Merkle tree, to reduce the validity of an arbitrary but fixed number of one-time verification keys to the validity of a single public key. Using Merkle s approach, the transmission of a potentially large authentication path becomes necessary. The second drawback is that hash-based signature schemes produce quite large signatures. Although the signature size can be reduced using the time-memory trade-off provided by the Winternitz one-time signature scheme [11], signature sizes comparable to ECDSA seem out of reach. 3 Short hash-based signatures We now describe the new digital signature scheme. It uses a variant of the Winternitz one-time signature scheme to sign the messages and a hash chain to authenticate the one-time verification keys. Our scheme is parameterized by the three integers n,l,w. The parameter n denotes the security level. The parameter l 1 determines the number of signatures that can be generated with one key pair. The parameter w 2 denotes the maximum bit length of the messages that can be signed using this key pair, where w must be divisible by 2. In the following, let f : {0,1} n {0,1} n and g : {0,1} 4n {0,1} n be hash functions that map bit strings of length n and 4n to bit strings of length n, respectively. Further, let prng : {0,1} n {0,1} n {0,1} n be a pseudo random number generator that maps an n bit seed to an n bit pseudo random number and an updated seed, i.e. prng(seed in ) = (rand,seed out ). Key pair generation. We first choose an initial seed ψ 1 {0,1} n and the end link z l {0,1} n of the hash chain uniformly at random. Next, we generate the one-time signature keys X i = (x i [0],x i [1],x i [2]) {0,1} (n,3) for i = 1,...,l using the PRNG and the seed ψ 1. (x i [0],ψ i) prng(ψ i ), (x i [1],ψ i ) prng(ψ i), (x i [2],ψ i+1 ) prng(ψ i ) (1) Note that the seed is updated each time the PRNG is used. The next step is to compute the one-time verification keys Y i = (y i [0],y i [1],y i [2]) {0,1} (n,3) for i = 1,...,l and the hash chain links z i {0,1} n for i = 0,...,l 1. We repeat the following steps for i = l,...,1 y i [0] f 2w/2 1 (x i [0]), y i [2] f 2w/2+1 2 (x i [2]), y i [1] f 2w/2 1 (x i [1]), z i 1 g(y i [0] y i [1] y i [2] z i ) (2) Here, denotes the concatenation of bit strings and f k (x) means that the function f is applied k times to x. Initially, the public key is the beginning link z 0 of the hash chain and the private key is the seed ψ 1 and the link z 1. Figure 1 shows how the hash chain is generated.

z 0 z 1 z 2 z l 1 z l Y 1 Y 2 Y l X 1 X 2 X l Fig. 1. Visualization of the hash chain. Signature generation. We describe the generation of the ith signature, i {1,...,l}, of the w-bit message m = m 1 m 2 {0,...,2 w/2 1} 2. The signer knows the seed ψ i required to generate the ith one-time signature key and the ith link of the hash chain z i. For the first signature (i = 1), the signer knows ψ 1 and z 1 from key pair generation. At first the signer generates x i [0],x i [1],x i [2] as described in (1). Doing so he obtains the updated seed ψ i+1 and stores it in the private key for the next signature i + 1. Next, he uses the message m 1 m 2 to compute the checksum c 2 w/2+1 2 m 1 m 2 (3) and finally generates (α 1,α 2,α 3 ), the one-time signature of m. α 1 f m1 (x i [0]), α 2 f m2 (x i [1]), α 3 f c (x i [2]) (4) In total, the signature of message m is given as σ = (i,α 1,α 2,α 3,z i ). After signing, the signer must compute the previous link of the hash chain z i+1 which is required for the next signature. This can be accomplished using an arbitrary hash chain traversal algorithm. For our analysis we use the algorithm presented in [34], which requires the computation of 1 2 log 2 l links in each round and needs to store log 2 l links and seeds. Signature verification. The verification of a signature σ = (i,α 1,α 2,α 3,z i ) of message m works as follows. The verifier knows the i 1th link of the hash chain z i 1. For the first signature (i = 1), the link z 0 is the signers public key. Signature verification consists of two steps. First, the verifier uses α 1,α 2,α 3 to recompute the one-time verification key Y i = (β 1,β 2,β 3 ). Second, he checks whether the chain link z i 1 can be computed using this one-time verification key and the link z i included in the signature. β 1 = f 2w/2 1 m 1 (α 1 ), β 3 = f 2w/2+1 2 c (α 3 ), β 2 = f 2w/2 1 m 2 (α 2 ), g(β 1 β 2 β 3 z i )? = z i 1 (5) If the comparison is successful, the signature is accepted as valid. Finally, the verifier discards the link z i 1 and stores z i for the verification of the next signature i + 1.

4 Security We now analyze the security of the proposed signature scheme. We will show that our scheme is unforgeable if the hash functions f and g are preimage and second preimage resistant. We will also consider the case where an adversary exploits the properties of WSNs to perform attacks. 4.1 Security against preimage and second preimage attacks The goal of this section is to show that breaking the proposed signature scheme requires breaking cryptographic properties of the used hash functions f and g. These cryptographic properties are preimage and second preimage resistant. For a detailed description of the various cryptographic properties of hash functions we refer to [28]. We begin by considering two attacks and show that performing them successfully requires the attacker to be able to compute preimages or second preimages. Then we discuss the provable security of our scheme. An attacker has two possibilities attacking our scheme via breaking cryptographic properties of the used hash functions. The first possibility is trying to forge a one-time signature as follows. Assume the attacker is given a one-time signature (α 1,α 2,α 3 ) of message m = m 1 m 2 and wants to generate a valid one-time signature σ = (α 1,α 2,α 3) of a different message m = m 1 m 2. There are two cases to consider. Case 1: (m 1 < m 1 or m 2 < m 2 ) To obtain a valid one-time signature, the attacker must compute α 1 = f m 1 m1 (α 1 ) and α 2 = f m 2 m2 (α 2 ). This requires the attacker to be able to compute preimages of the hash function f, since either m 1 m 1 < 0 or m 2 m 2 < 0 holds. Case 2: (m 1 m 1 and m 2 m 2 ) In this case, the signer can easily compute α 1 = f m 1 m1 (α 1 ) and α 2 = f m 2 m2 (α 2 ). However, in order to compute α 3 = f c c (α 3 ), the attacker must be able to compute preimages of the hash function f because, according to Equation (3), the checksum c of message m is smaller than the checksum c of message m; c c = m 1 m 1+m 2 m 2 < 0. If the function f is preimage resistant, this attack cannot be performed. Note, that, as in the Winternitz scheme, the purpose of the checksum is to prevent this attack. The second possibility an attacker has is to choose his own one-time signature key X = (x [0],x [1],x [2]) {0,1} (n,3) which allows him to sign arbitrary messages. The task of the attacker then is to include the corresponding one-time verification key Y = (y [0],y [1],y [2]) {0,1} (n,3), computed as in Equation (2), in the hash chain of the signer. He must therefore be able to find z {0,1} n, such that g(y [0] y [1] y [2] z ) = z i 1 = g(y i [0] y i [1] y i [2] z i ) holds for some i {1,...,l}. Here we assume that the values y i [0],y i [1],y i [2], z i,z i 1 are known by the attacker, since he is able to compute them from the

ith signature generated by the signer as shown in Equation (5). An attacker who is able to successfully perform this attack is also able to compute second preimages of the hash function g. In fact, successfully performing this attack is more complicated than computing second preimages, since the first part of the second preimage is determined by the one-time verification key Y = (y [0],y [1],y [2]) and cannot be chosen freely. Hence, this attack cannot be performed if the function g is second preimage resistant. In summary, based on these attacks we require f to be a preimage resistant hash function and g to be a second preimage resistant hash function. The best generic attack to break these cryptographic properties of hash functions with output length n bit is exhaustive search. In the following, we therefore assume that our scheme provides a security level of n bits, which means that an attacker on average requires 2 n 1 evaluations of the hash functions to break the scheme. Estimating the security level based on the best known attacks is sometimes considered dubious. Although we are confident that no attack better than the ones described above exists, there is no guarantee. To guarantee that no better attack exists, a security reduction is required. In hash-based cryptography there exist security reductions for Merkle s tree authentication scheme to the collision resistance of the used hash function and the Lamport Diffie one-time signature scheme to the preimage resistance of the used hash function [10]. By slightly modifying Merkle s construction, a security reduction to the second preimage resistance of the used hash function is also possible [10]. Since our hash chain based construction can be interpreted as a linearized version of Merkle s tree authentication scheme, these security reductions can be adopted to our scheme. Estimating the security level of our signature scheme based on the security reduction increases the signature size by n bit, since the hash function g is now required to be collision resistant. However, no attack that requires the adversary to be able to compute collisions is known neither for Merkle s tree authentication scheme combined with the Winternitz scheme nor for our signature scheme. We therefore assume that our scheme has security level n bit. 4.2 WSN specific attacks Next, we consider an adversary that tries to exploit some of the special properties of WSNs to perform attacks. Relevant are the wireless multihop communication and the possibility of node compromise. One threat to WSNs are replay attacks, where an attacker replays previously sent messages, for example to order the sensor nodes to reboot. One great advantage of our scheme is that such attacks are not possible, since a sensor node can detect a replay attack using the index i enclosed in the signature. However, because of the wireless multihop communication, an adversary could perform a successful replay attack by first preventing the reception of messages (e.g., by jamming the wireless channel or by performing a selective forwarding attack [18]) and then replaying valid messages at a later point in time. This is a problem that all signature schemes have in common and is not unique to the scheme presented here. To mitigate this type of attack, timestamps could

be added to the signature to create a time window where the message is valid. Another strategy an adversary can pursue is to prevent valid authentications. An adversary can perform Denial-of-Service attacks such as jamming or selective forwarding attacks to prevent the sensor node from receiving messages. This is hard to prevent and a general problem of the wireless multihop communication. However, in the case of our scheme, message loss prevents later messages to be authenticated. This might not only be a result of an attack but could also be caused by the unreliable wireless channel. To enable sensor nodes to resynchronize to the current verification link z i 1, they could send a request to the base station which unicasts the link z i 1 to the respective sensor nodes. To secure this communication, a pairwise symmetric key could be used to generate MACs over the exchanged messages. This approach is reasonable if the sensor nodes are located nearby the sink. To decrease the communication overhead for farther located sensor nodes, each sensor node could buffer a certain number of received signatures σ and send them to neighboring nodes if required. Only if neighboring nodes cannot provide the required signatures σ to resynchronize, the base station is contacted. If the scheme is used to authenticate messages exchanged between sensor nodes, an adversary could try to compromise a sensor node to access all keys and data stored on the node. This would enable the adversary to generate valid signatures originating from this node. However, in contrast to the symmetric key approach, the adversary can only generate signatures from the compromised node and not from other non-compromised sensor nodes. This is a general advantage of public key based signature schemes. One possibility to cope with node compromise is the use of tamper-resistant hardware which may be applicable in certain scenarios [20]. 5 Performance evaluation This section deals with the performance of our signature scheme. We begin by estimating the cost and memory requirements. Then we explain how the functions f,g and prng are implemented. Finally, we estimate timings and sizes for different parameters and compare our scheme with ECDSA. 5.1 Cost and memory requirements The following formulae show the number of evaluations of f, g, and prng required for computing a hash chain link, key pair generation, signature generation, and verification. Here, c f,c g,c prng denotes the cost for one evaluation of f,g,prng, respectively. The cost for one link of the hash chain is given by Equations (1) and (2). Key pair generation requires l links to be computed. The initialization of the hash chain traversal algorithm [34] can be done during key pair generation without extra cost. Signing requires the computation of 1 2 log 2 l links for the traversal algorithm as well as (2 w/2+1 2)c f and 3c prng according to Equations (4) and (1). The verification cost is given by Equation (5).

( ) c link = 2 w/2+2 4 c f + c g + 3 c prng (6) c keygen = l c link (7) c sign = 1 2 log 2 l ( ) c link + 2 w/2+1 2 c f + 3 c prng (8) ( ) c verify = 2 w/2+1 2 c f + c g (9) The following formulae show the sizes of the signature, private key, and public key. The private key requires 2n bits to store the current seed ψ i and hash chain link z i as well as 2n log 2 l bits to store the log 2 l links and seeds required by the traversal algorithm. The public key consists only of the last link of the hash chain received by the verifier. The signature requires 3n bits for the one-time signature, n bits for the hash chain link, and log 2 l bits for the index i. s privkey = 2n( log 2 l + 1) bit (10) s pubkey = n bit (11) s signature = 4n + log 2 l bit (12) 5.2 Construction of f, g, and prng We now describe concrete implementations of the three functions f : {0,1} n {0,1} n prng : {0,1} n {0,1} n {0,1} n g : {0,1} 4n {0,1} n seed in (rand,seed out ) (13) used in our scheme. For the construction of f and g we use AES in the Matyas- Meyer-Oseas (MMO) mode [24] and truncate the output to n bits. Let E k (m) denote an AES encryption of message m with key k, let denote bitwise XOR, and let x n denote truncation of the bit string x to n bits. Also, let IV be an initialization vector. Then the functions f and g are constructed as follows. f(x) = E IV (x) x n g(x 1,x 2,x 3,x 4 ) = E k3 (x 4 ) x 4 n with k 3 = E k2 (x 3 ) x 3, (14) k 2 = E k1 (x 2 ) x 2, k 1 = E IV (x 1 ) x 1 Before applying the AES encryption, x is padded from the left with 128 n zeroes. For the implementation of the PRNG we use the following construction. due to [14]. prng(ψ) = (f(ψ),f(ψ) + ψ + 1 mod 2 n ) (15) This construction is already used for the signature key generation in implementations of the Merkle signature scheme [5,29].

5.3 Practical performance In the following, we estimate timings and sizes of our signature scheme for different maximum message lengths w and number of signatures l. Then we compare our scheme with ECDSA. We compare our scheme exclusively with ECDSA, because ECDSA is the only digital signature scheme that offers the same signature size as our scheme. Other hash-based signature schemes, like the Winternitz scheme, have much larger signature sizes. In the following, we choose n = 80 as output length of the hash functions. According to Section 4, this yields a security level comparable to elliptic curves over a 160-bit prime field. The timings are obtained by first estimating the number of evaluations of f, g, and prng required for the specific choice of parameters using Equations (6)- (9). This number is converted to actual timings using that one AES encryption takes 0.3 msec as measured by the authors of [29] on an Atmel ATMega128 microcontroller. We therefore assume that one evaluation of f, g, and prng takes 0.3, 1.2, and 0.3 msec, respectively Table 1. Signature generation and verification timings of our signature scheme at security level 80 (n = 80). (l, w) t sign t verify (2 10, 8) 110.4 msec 10.2 msec (2 16, 8) 170.7 msec 10.2 msec (2 10, 10) 216.0 msec 19.8 msec (2 16, 10) 333.9 msec 19.8 msec (2 10, 12) 427.2 msec 39.0 msec (2 16, 12) 660.3 msec 39.0 msec (2 10, 14) 849.6 msec 77.4 msec (2 16, 14) 1313.1 msec 77.4 msec (2 10, 16) 1694.4 msec 154.2 msec (2 16, 16) 2618.7 msec 154.2 msec (2 10, 18) 3384.0 msec 307.8 msec (2 16, 18) 5229.9 msec 307.8 msec (2 10, 20) 6763.2 msec 615.0 msec (2 16, 20) 10452.3 msec 615.0 msec (2 10, 22) 13521.6 msec 1229.4 msec (2 16, 22) 20897.1 msec 1229.4 msec Table 1 summarizes the signature generation and verification time for different choices of parameters. The security parameter n is fixed to 80 to provide a security level comparable to 160-bit elliptic curves. We state timings for up to l = 2 10 and l = 2 16 signatures and different maximum message lengths. We don t state timings for more than 2 16 signatures, because on the one hand 2 16 signatures are sufficient for typical sensor node applications and on the other hand, updating the private and public key more than 2 16 times is not possible because

this would exceed the life-span of the EEPROM where private and public key are stored. Table 1 omits the time required for key pair generation on the sensor node, since it would take far to long. However, from previous timings for the Merkle scheme [5], we can deduce that key pair generation on a PC does take more than a few minutes. Table 2 shows the sizes of the keys and signatures, again for up to l = 2 10 and l = 2 16 signatures. Note that these sizes do not depend on the parameter w. Table 2. Key and signature sizes of the new signature scheme at security level 80 (n = 80). (l, w) s signature s privkey s pubkey (2 10, ) 330 bits 1760 bits 80 bits (2 16, ) 336 bits 2720 bits 80 bits Table 2 shows that signatures of our scheme are almost as small as ECDSA signatures. This is because we need additional 10 to 16 bits to store the index of the signature. Although the size of the private key is large compared to ECDSA, it can be easily stored on the sensor node. Table 1 shows that the signature verification time does not depend on the parameter l. This is especially meaningful in the scenario where our scheme is used for broadcast authentication. Table 1 also clarifies the flexibility of our construction. If a sensor node needs to sign only 8-bit messages, e.g. if it measures only the temperature, our scheme drastically outperforms ECDSA both in signature generation (7 times faster) and verification (158 times faster). For the parameters (l,w) = (2 16,12) and (l,w) = (2 10,14) the signature generation time of our scheme is comparable to ECDSA but signature verification still is more than 20 times faster. If messages of bit length more than 14 have to be signed, signature generation of our scheme is less efficient than ECDSA. However, for message lengths up to 22-bit, signature verification of our scheme remains faster than ECDSA which is again meaningful for broadcast authentication. For the comparison with ECDSA, we use the timings due to Gura et al. [16], i.e. 0.81 seconds for signature generation and 1.62 seconds for signature verification. Finally, we remark that 16384 different messages can be encoded in 14 bits, which should me more than enough for most sensor network applications. 6 Conclusion We present a hash-based digital signature scheme customized for wireless sensor networks that offers the same signature size as ECDSA at the same security level. We show explicit formulae to estimate the timings and memory requirements of our scheme for a given choice of parameters. Using AES timings measured on an

Atmel ATMega128, we show that our scheme provides 7 times faster signature generation and 158 times faster verification than ECDSA for message lengths required by instructions or queries from the base station or single measurements like the temperature. In case of message lengths sufficient for most other WSN applications, the signature generation time is comparable to ECDSA, while signature verification remains 20 times faster. Future research includes an implementation of our scheme to estimate the exact power consumption of signature generation and verification. In addition, we also plan an implementation on a platform providing hardware acceleration for AES such as the Atmel ATxmega 128A1 processor [8]. Results presented in [29] indicate that this would result in a speed up of our scheme by a factor of more than 3. We will also compare our implementations with hardware accelerated ECC implementations [21]. References 1. Ian Akyildiz, Weilian Su, Yogesh Sankarasubramaniam, and Erdal Cayirci. A survey on sensor networks. IEEE Communications Magazine 40, 8:102 114, 2002. 2. Lejla Batina, Nele Mentens, Kazuo Sakiyama, Bart Preneel, and Ingrid Verbauwhede. Low-cost elliptic curve cryptography for wireless sensor networks. In Third European Workshop on Security and Privacy in Ad-Hoc and Sensor Networks (ESAS), 2006. 3. Erik-Oliver Blaß, Holger Junker, and Martina Zitterbart. Effiziente implementierung von public-key algorithmen für sensornetze. In GI Jahrestagung (2), pages 140 144, 2005. 4. Erik-Oliver Blaß and Martina Zitterbart. Towards acceptable public-key encryption in sensor networks. In IWUC, 2005. 5. Johannes Buchmann, Carlos Coronado, Erik Dahmen, Martin Döring, and Elena Klintsevich. CMSS - an improved merkle signature scheme. In INDOCRYPT, volume 4329 of Lecture Notes in Computer Science. Springer. 6. Haowen Chan, Adrian Perrig, and Dawn Song. Random key predistribution schemes for sensor networks. In Proceedings of the 2003 IEEE Symposium on Security and Privacy, 2003. 7. ATMEL Corporation. Atmel atmega128 datasheet, 2006. www.atmel.com/dyn/ resources/prod_documents/doc2467.pdf. 8. ATMEL Corporation. Atmel atxmega128a1 datasheet, 2009. http://www.atmel. com/dyn/resources/prod_documents/doc8067.pdf. 9. Crossbow Technology Inc. MICA2 datasheet. http://www.xbow.com/products/ Product_pdf_files/Wireless_pdf/MICA2_Datasheet.pdf. 10. E. Dahmen, K. Okeya, T. Takagi, and C. Vuillaume. Digital signatures out of second-preimage resistant hash functions. In 2nd International Workshop on Post- Quantum Cryptography (PQCrypto), 2008. 11. Chris Dods, Nigel Smart, and Martijn Stam. Hash based digital signature schemes. In Cryptography and Coding, 2005. 12. Wenliang Du, Ronghua Wang, and Peng Ning. An efficient scheme for authenticating public keys in sensor networks. In Proceedings of the 6th ACM international symposium on Mobile ad hoc networking and computing (MobiHoc), 2005.

13. Laurent Eschenauer and Virgil D. Gligor. A key-management scheme for distributed sensor networks. In Proceedings of the 9th ACM conference on Computer and communications security (CCS), 2002. 14. Digital signature standard (DSS). FIPS PUB 186-2, 2007. Available at http: //csrc.nist.gov/publications/fips/. 15. Gunnar Gaubatz, Jens-Peter Kaps, and Berk Sunar. Public key cryptography in sensor networks - revisited. In Security in Ad-hoc and Sensor Networks (ESAS), 2004. 16. Nils Gura, Arun Patel, Arvinderpal Wander, Hans Eberle, and Sheueling Chang Shantz. Comparing elliptic curve cryptography and RSA on 8-bit CPUs. In Cryptographic Hardware and Embedded Systems (CHES), 2004. 17. Chris Karlof, Naveen Sastry, and David Wagner. TinySec: A link layer security architecture for wireless sensor networks. In Proceedings of the 2nd international conference on Embedded networked sensor systems (SenSys), 2004. 18. Chris Karlof and David Wagner. Secure routing in wireless sensor networks: attacks and countermeasures. In Proceedings of the First IEEE International Workshop on Sensor Network Protocols and Applications, 2003. 19. Christoph Krauß, Markus Schneider, and Claudia Eckert. On handling insider attacks in wireless sensor networks. Information Security Technical Report, 13:165 172, 2008. Elsevier. 20. Christoph Krauß, Frederic Stumpf, and Claudia Eckert. Detecting node compromise in hybrid wireless sensor networks using attestation techniques. In Fourth European Workshop on Security and Privacy in Ad hoc and Sensor Networks (ESAS), 2007. 21. Sandeep S. Kumar and Christof Paar. Reconfigurable instruction set extension for enabling ecc on an 8-bit processor. In Field Programmable Logic and Application (FPL), 2004. 22. Mark Luk, Adrian Perrig, and Bram Whillock. Seven cardinal properties of sensor network broadcast authentication. In ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN), 2006. 23. David J. Malan, Matt Welsh, and Michael D. Smith. A public-key infrastructure for key distribution in tinyos based on elliptic curve cryptography. In First IEEE International Conference on Sensor and Ad Hoc Communications and Networks, 2004. 24. A. J. Menezes, S. A. Vanstone, and P. C. Van Oorschot. Handbook of Applied Cryptography. CRC Press, 1996. 25. Ralph C. Merkle. A certified digital signature. In CRYPTO 89: Proceedings on Advances in cryptology, pages 218 238, New York, NY, USA, 1989. Springer-Verlag New York, Inc. 26. Adrian Perrig, Robert Szewczyk, J. D. Tygar, Victor Wen, and David E. Culler. SPINS: security protocols for sensor networks. Wirel. Netw., 8(5):521 534, 2002. 27. Krzysztof Piotrowski, Peter Langendoerfer, and Steffen Peter. How public key cryptography influences wireless sensor node lifetime. In Proceedings of the fourth ACM workshop on Security of ad hoc and sensor networks (SASN), 2006. 28. P. Rogaway and T. Shrimpton. Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In Fast Software Encryption (FSE), volume 3017, pages 371 388, 2004. 29. Sebastian Rohde, Thomas Eisenbarth, Erik Dahmen, Johannes Buchmann, and Christoph Paar. Fast hash-based signatures on constrained devices. In Eighth

Smart Card Research and Advanced Application Conference (CARDIS), volume 5189 of Lecture Notes in Computer Science. Springer. 30. Piotr Szczechowiak, Leonardo B. Oliveira, Michael Scott, Martin Collier, and Ricardo Dahab. Nanoecc: Testing the limits of elliptic curve cryptography in sensor networks. In European Conference on Wireless Sensor Networks (EWSN), 2008. 31. Leif Uhsadel, Axel Poschmann, and Christof Paar. Enabling full-size public-key algorithms on 8-bit sensor nodes. In Security and Privacy in Ad-hoc and Sensor Networks (ESAS), 2007. 32. Arvinderpal S. Wander, Nils Gura, Hans Eberle, Vipul Gupta, and Sheueling Chang Shantz. Energy analysis of public-key cryptography for wireless sensor networks. In Proceedings of the Third IEEE International Conference on Pervasive Computing and Communications (PERCOM), 2005. 33. Ronald Watro, Derrick Kong, Sue fen Cuti, Charles Gardiner, Charles Lynn, and Peter Kruus. TinyPK: securing sensor networks with public key technology. In Proceedings of the 2nd ACM workshop on Security of ad hoc and sensor networks (SASN), 2004. 34. Dae Hyun Yum, Jae Woo Seo, Sungwook Eom, and Pil Joong Lee. Single-layer fractal hash chain traversal with almost optimal complexity. In CT-RSA, volume 5473 of Lecture Notes in Computer Science, pages 325 339. Springer, 2009. 35. Sencun Zhu, Sanjeev Setia, and Sushil Jajodia. LEAP: efficient security mechanisms for large-scale distributed sensor networks. In Proceedings of the 10th ACM conference on Computer and communications security (CCS), 2003.